220.127.116.11.18.104.22.168.2 Request on Behalf of Using CMS and CMC Request Format
contentType: This field MUST be set to the OID szOID_RSA_signedData (1.2.840.113522.214.171.124, id-signedData). If it is not, the CA MUST return a non-zero error.
content: This field is a SignedData structure. If it is not, the CA MUST return a non-zero error.
encapContentInfo: This field MUST have the following values for its fields:
eContentType: This field MUST be set to the OID szOID_CT_PKI_DATA (126.96.36.199.188.8.131.52.2, Id-cct-PKIData). If it is not, the CA MUST return a non-zero error.
eContent: This field MUST be a PKIData structure, as specified in [RFC2797] section 3.1. The PKIData structure MUST adhere to the following requirements:
TaggedRequest: This field MUST contain exactly one certificate request. The certificate request MUST be PKCS #10 conforming to rules specified in sections 184.108.40.206.5 and 220.127.116.11.18.104.22.168.1. If it is not, the CA MUST return a non-zero error.
TaggedAttribute: This field MUST include the RegInfo attribute (as specified in [RFC2797] section 5.12). The RegInfo value MUST include the OID szENROLLMENT_NAME_VALUE_PAIR (22.214.171.124.4.1.3126.96.36.199) attribute. The value of the attribute MUST include the requestername name-value pair. The value of the requestername name-value pair MUST be used to construct the Subject field in the issued certificate.
certificates: This field MUST include all the certificates that are associated with the private keys used to sign the certificate request. The certificates MUST have the certificate request agent EKU (188.8.131.52.4.1.3184.108.40.206).
signerInfos: The signing MUST be done with the key (or keys) associated with the already issued certificate (or certificates) that are passed in the certificates field.